Tag Archives: PII

Breach Brief – T-Mobile

Mobile phone service provider T-Mobile has announced a data breach of its customer information.

According to a post on  the carrier’s website  the hack was discovered on August 20 by its cybersecurity team. The team shut down unauthorized access to certain information and T-Mobile quickly reported the incident to authorities. T-Mobile reported that the attackers did not get access to financial information, social security numbers, or passwords. However  the company did admit that some personal information may have been compromised including name, billing zip code, phone number, email address, account number and account type.

In a statement T-Mobile said, “Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information. We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access. We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you.”

T-Mobile did not report any exact number of customers affected by the breach.  But a spokesperson for the company told Motherboard that it impacted roughly  “3 percent” of its 77 million customers amounting to around two million people. “Fortunately not many,” the spokesperson said in a text message, adding she could not say the exact number, reported Motherboard.

T-Mobile is the third largest cell service provider in the U.S. with 77 million customers. The company has about half the customers of Verizon and AT&T  with 152 million and 147 million customers respectively.

Breach Brief – Macy’s, Adidas

Macy’s department stores has reported a data breach of customer data. The breach affects Macy’s online customers and exposed names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. Macy’s pointed out that it does not store credit verification values (CVV) or Social Security numbers in its online customer profiles. Macy’s has reported the data breach and exposed card numbers to payment processors Visa, MasterCard, American Express and Discover. Macy’s has not said how many customers are impacted.

According to Macy’s the breach took place between April 26 and June 12. The company reported that an “unauthorized third party” had obtained usernames and passwords and were able to log into Macy’s and subsidiary’s Bloomingdale’s shopper’s online profiles. It is not known how the hackers got the information. Macy’s reported the breach in a letter to the New Hampshire Attorney General’s Office on July 2nd.

Macy’s has frozen any customer profiles with suspicious activity until the customers change their passwords.

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” the company said in a statement. “Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”

 

Adidas

Adidas, maker of sportswear and equipment, issued a warning to online shoppers in the U.S. that their personal information may have been compromised as a result a suspected data breach.  Adidas first became aware of the incident on June 26 and analysts are saying that potentially millions of customers could be affected.

A preliminary investigation revealed that the hacker may have stolen customer’s contact information, usernames and encrypted passwords. Adidas does not believe any credit card or health and fitness information was compromised.

A statement on Adidas’ website read; “According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.” The company is in the process of notifying affected customers.

Breach Brief – Exactis

Who is Exactis and what do they know about me? That is the question you need to be asking.  No, you haven’t heard of Exactis but they may have exposed some of your most personal information to hackers. You, along and the everybody else in the U.S.

Exactis is a major data gathering company based in Palm Coast, FL. The Exactis website describes the company as a compiler and aggregator of business and consumer data. Exactis claims to have a store of information it refers to as a “universal data warehouse” that contains 3.5 billion consumer, business and digital records. Exactis claims these records are updated monthly. According to Exactis’ LinkedIn profile it is a privately owned company with only 10 employees. Exactis gathers this information from cookies on personal computers. credit and debit transaction records and other sources.

Now you should ask what do they know about me? The exposed records contains more than 400 different characteristics that include whether the person smokes, what their religion is and whether they have dogs or cats. But, according to Wired.com some of the information is inaccurate or outdated.

Your next question is; how did this happen? According to security researcher Vinny Troia the company leaked the data of 340 million individuals by storing it on an unsecured server accessible through the internet. According to Wired.com Troia discovered what he describes nearly two terabytes of data. 

Troia reported the data breach to both Exactis and the FBI. Exactis reacted by securing the data so that it’s no longer accessible.

But now ask; did criminals know this? Did they access the information? The answer to that question is unknown. But since Exactis has not admitted to the data breach and it is no longer accessible no one really know how many people are affected. According to Wired.com Troia found two versions of the database each holding an estimated 340 million records. This number breaks down into 230 million consumers records  and 110 million on business contacts.  

But Marc Rotenberg, the executive director of the non-profit Electronic Privacy Information Center said,  “The likelihood of financial fraud is not that great , but the possibility of impersonation or profiling is certainly there. Rotenberg stated that while some of the data is available in public records, much of it appears to be the sort of non-public information that data brokers aggregate from sources like magazine subscriptions, credit card transaction data sold by banks, and credit reports. “A lot of this information is now routinely gathered on American consumers,” Rotenberg adds.

 

 

Breach Brief – Panera Bread, Saks Fifth Avenue, Orbitz

Panera, a popular bakery-cafe has admitted its website was leaking a data. According to Brian Krebs of KrebsOnSecurity.com Panera allegedly failed to fix issues with its website it knew about for nearly eight months. Panera Bread has  has over 2,100 outlets nationwide. 

Cyber security researcher Dylan Houlihan notified the company of a data leak in early August 2017. Mike Gustavison, Panera director of information security was informed of the flaw and said the company “working on a resolution.” Despite this statement the flaw was not repaired. 

Data records that leaked out contain the names, email and physical addresses, birth dates and the last four digits of the credit card numbers of Panera customers. 

Only after Krebs spoke directly with Panera chief information officer John Meister was the site shut down briefly and the data secured.  The number of customers whose data may have been compromised is estimated at 37 million.

A statement from Panera Bread said; “Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

The company urges its customers to alert for any fraudulent activity in the bank or credit accounts.

Saks Fifth Avenue/Lord & Taylor

Saks Fifth Avenue and Lord & Taylor reported a data breach affecting millions of its customers.

According to the company “a well-known ring of cybercriminals” had stolen more than 5 million credit and debit card numbers from customers. According to the New York Times the cyber criminals were able to pull off this massive heist by implanting software into the cash register systems.

Although it is early in the investigation the the hack appears to have only affected card numbers and not social security or driver’s license numbers.

The majority of the affected credit cards appear to have been used at Saks and Lord & Taylor stores between May 2017 and March 2018 and only in the New York-New Jersey areas stores. 

Both Saks 5th Ave. and Lord & Taylor are owned by the Canadian company Hudson’s Bay. The company issued the following statement;“We have become aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores in North America. We have identified the issue, and have taken steps to contain it. Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”

Orbitz

The popular travel booking site Orbitz announced that its legacy site, Amextravel.com, was compromised due to a data breach.  Data of  880,000 customers was compromised from January 1, 2016 through December 22, 2017.

According to the company credit or debit card information was stolen along with personal information that includes the customer’s full name, date of birth, phone number, email address, physical and/or billing address and gender.  

Orbitz plans to notify all customers who’s information may have been compromised and  is providing potential victims a free year of credit monitoring services. Customers can contact Orbitz for the free service either online or by calling 855-828-3959 toll-free. 

 

Breach Brief – TIO Networks

TIO Networks, owned by PayPal has suffered a data breach that may have compromised the personally identifiable  information or PII of up to 1.6 million customers. TIO suspended operations on November 10th to investigate “security vulnerabilities” in its payment platform.

According to PayPal customer information compromised in the breach include names, addresses, bank-account details, Social Security numbers and account login details.

TIO Networks is a Canadian company that processes payments from under served or un-banked communities. In 2016 the company processed more than $7 billion in consumer bills. TIO serves 14 million consumer bill pay accounts. Many of these consumers are poor or receive some form of public assistance using state issued EBT Cards. According to the Federal Deposit Insurance Corporation(FDIC) about 7 percent of the U.S. households are considered un-banked

The company has more than 10,000 supported billers.  TIO allows establishments like  convenience stores, supermarkets and even liquor stores to quickly process payments to  telecom, wireless, cable and utility companies. TIO’s offers more than 900 self-service kiosks and approximately 65,000 retail walk-in locations as well as mobile and web solutions.

PayPal purchased TIO Networks in July for $238 million in cash. According to PayPal its payments platform is not impacted in any way. TIO systems are completely separate from PayPal and PayPal’s customers’ data remains secure.

TIO is working with the companies it services to notify potential victims affected by the breach. These consumers will be contacted directly and receive instructions on how to sign up for credit monitoring offered by PayPal.

 

Understanding Medical Data Breaches

canstockphoto24985079Medical data breaches are constantly in the news.  According to iHealthBeat.org 1 in 10 U.S. residents have been impacted by a medical data breach. It is highly likely that millions of African-Americans have been the victim of a medical data breach and probably don’t know it. The sad news is that this has become common.

We need to understand a few things about data breaches. First, what is a data breach? What kind of data breaches are there? How many people are affected and how do you fight back if you think your data has been compromised.

Put simply a data breach is an incident where sensitive, protected or confidential information has been exposed, stolen or utilized by unauthorized individuals often to commit some type of crime.

What kind of data breaches are there? Data breaches may expose personal health information (PHI) this is a medical data breach.  Personally identifiable information (PII) is information that, on its own or combined with other information can be used to identify, contact, or locate a person, or identify an individual in context. Finally there is a data breach that exposes trade secrets or intellectual property. This usually affects businesses and sometimes falls known as industrial espionage.

Medical data breaches often involve massive numbers of people and personal information records. Here are the largest medical data breaches so far this year. Look carefully, your insurance company may be on the list.

Keep in mind that medical insurance companies are not alone when it comes to data breaches. Hospitals and health service providers are a prime target for medical data hackers. The HIPAA Act covers most medical facilities. HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The law is intended to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.

According to Datapipe.com these are the largest HIPAA data breaches of  2014.

According to a report released by KPMG 81 percent of health insurance providers and hospitals have had a data breach. The survey revealed,

  • 15 percent of healthcare organizations have no one whose sole responsibility is information security.
  • 23 percent do not have a security operations center to identify and evaluate threats.
  • 55 percent say they have a hard time staffing their organization.

Why is medical data so valuable? Medical records are ten times more valuable to hackers than your credit cards.

Your medical information is a gold mine. You probably have medical information spread over several doctor’s offices, medical services and hospitals including your dentist, pharmacy and physical therapist. These records contain information such as your Social Security number, address and phone number, email, next of kin information, phone numbers, information about your children or spouse, payment information, insurance information, and much more.

Hackers use stolen medical and insurance data to create fake IDs, buy medical equipment or drugs that they can re-sell and file fraudulent claims with insurance providers. Hackers also have more time to use stolen data to commit fraud because medical identity theft is not immediately apparent.  And mostly because these records are easy targets. According to the KMPG report hospitals and medical insururance companies are poor protectors of your information. According to the security firm Symantec health care providers saw a 72 percent increase in cyberattacks from 2013 to 2014, Health care companies are required by law to publicly disclose big health data breaches. There were more than 270 such disclosures in the last two years.

So how can African-Americans avoid the theft of their medical information?

  • If your wallet is lost or stolen, make sure your insurer(s) are notified along with your financial institutions.
  • Carefully examine all medical bills and insurance statements you receive. Look for fees from health care providers you do not recognize or statements describing benefits paid out for services you did not obtain.
  • Consider an identity protection service which will help you detect most kinds of identity theft, including medical, much earlier than you might on your own and assist you through the fraud resolution process if your information is stolen.
  • Always be alert to strange phone calls or emails from people asking medical questions or insurance questions, especially if you do not know the company.
  • Alert your caregivers of any suspicious calls or activity regarding your care.
  • Keep a close watch on your credit and banking resources. Alert you financial institutions of any suspicious or fraudulent activity.
  • Take full advantage of credit monitoring services if offered.

The loss of medical data can have a devasating personal impact. An unlucky victim may have their medical insurance coverage cancelled or suspended due to fraudulent claims. Insurance premiums may skyrocket. Others may have their identity stolen completely. Changes, intentional or accidental, to medical records could result in mis-diagnosis or mis-treatment of illnesses. Pay attention to data breach notifications. The African American Cyber Report is an excellent source for the latest breach notifications.

Know you know